11-19-2011 11:51 AM - edited 03-07-2019 03:29 AM
Hello All
Router Scenario
Sitting on Router console can I SSH to a Router / Firewall on the Internet.
Firewall Scenario
Sitting on ASA console can I SSH and Telnet to a Router / Firewall on the Internet
thanks
Joe
Solved! Go to Solution.
11-19-2011 11:58 AM
Dear Joe,
if your Cisco Router runs a particular IOS Release, yes you can directly open an ssh session to another device/host if you logged in by telnet. the other device must be available over the network/internet and thus, your device requires proper network setup.
but doing so, first I recommend to have a close look on how to use the ssh command from a cisco router and get trained with the parameters this area concerns.
Router# ssh ?
Regards,
David.
11-19-2011 12:47 PM
Sitting on Router
R# ssh 1.2.3.4
is it normal it wont ask for username but password and then enable password.
Same router when ssh from putty ask for username and password
The router can be configured both ways, but it is good idea to make sure it asks for username and password
HTH
11-19-2011 11:58 AM
Dear Joe,
if your Cisco Router runs a particular IOS Release, yes you can directly open an ssh session to another device/host if you logged in by telnet. the other device must be available over the network/internet and thus, your device requires proper network setup.
but doing so, first I recommend to have a close look on how to use the ssh command from a cisco router and get trained with the parameters this area concerns.
Router# ssh ?
Regards,
David.
11-19-2011 12:06 PM
Hello David,
Using any putty&securecrt i can telnet / ssh to remote routter or firewall. Sitting on Router console can i ssh to ASA.
I got 12.4 K9 ios running on a 2801 router.
My second request was sitting on firewall-ASA can i telnet and ssh to a remote router or asa.
thanks
Joe
11-19-2011 12:15 PM
Joe,
Cisco firewalls don't have SSH or telnet clients, so you can telnet or SSH to the firewall but not from the firewall.
If you are on the router you can SSH to a router or firewall, provided you have the permissions to do so.
HTH
11-19-2011 12:22 PM
Sitting on Router
R# ssh 1.2.3.4
is it normal it wont ask for username but password and then enable password.
Same router when ssh from putty ask for username and password
11-19-2011 12:47 PM
Sitting on Router
R# ssh 1.2.3.4
is it normal it wont ask for username but password and then enable password.
Same router when ssh from putty ask for username and password
The router can be configured both ways, but it is good idea to make sure it asks for username and password
HTH
11-19-2011 03:01 PM
Hi Reza,
I was reading this post where you said
Sitting on Router
R# ssh 1.2.3.4
is it normal it wont ask for username but password and then enable password.
Same router when ssh from putty ask for username and password
i tried on my router
2691Router#ssh 192.168.5.2
Password:
Password:
Password:
3550SMIA>en
Password:
3550SMIA#
Can you please tell me why is that it only ask for pw when we ssh from other router but when we ssh from putty it ask
for both username and pw?
Thanks
MAhesh
11-19-2011 05:26 PM
Mahesh,
It does not make any difference when try to login from another router or putty.
What I was saying is this:
you can login to the router by just providing a password without a username or you can login with user name and password which is more secure and should be practiced.
basically if you remove "login local" from your vty lines and assign an enable secret, you can login with enable secret password without any username
HTH
11-19-2011 06:00 PM
Hi Reza,
thanks for reply back
but in my case here is 3550 config
line vty 0 4
exec-timeout 60 0
length 500
transport input telnet ssh
escape-character 3
line vty 5 15
exec-timeout 60 0
length 500
transport input telnet ssh
escape-character 3
username mintoo privilege 15 secret 5 $1$JKF9$S8eq/83XCKWRrC3521Djv0
i can ssh to switch using putty then it ask for username and pw even though no login command is there.
do you why is this?
thanks
11-19-2011 01:04 PM
Dear Joe,
to get asked for a username + password on the login you need to perform the following steps:
conf t
username
aaa new-model
aaa authentication login default local
aaa session-id common
end
wr
copy run start
first you create a new user with username, permission level and password.
0 after 'password' means it is followed by a clear-text, non encrypted password, 7 stands for you will enter
an already encrypted password (caution!!!, encryption algorithm must match!)
you then enable the aaa framework, aaa stands for authorization, authentication, accounting.
AAA provides the following benefits:
•Increased flexibility and control of access configuration
•Scalability
•Standardized authentication methods, such as RADIUS, TACACS+, and Kerberos
•Multiple backup systems
(taken from: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfaaa.html)
the line 'aaa authentication login default local' means, that you enable local authentication involving
those user/access credentials you configure directly on the cisco box. there are many other facilities available,
such as radius, or databases.
the line naming on 'aaa session-id common' enables a kind of session handling with a regular system session id for e.g. login expire, expire on idle, session-loging
I trust the above is of use of you.
All the best,
David.
11-19-2011 12:41 PM
Dear Joe,
I am sorry to admit, that I have only some minor experience with Cisco routers, not with Cisco ASA Systems or Cisco
firewalls - I actually do not know, if the ASA-Systems are firewalls or even switches..... ;-)
Your IOS 12.4K9 should support opening a ssh session from the cisco router console to another host.
As Reza & me already outlined: sufficient network setup and proper permissions are essential for a successful ssh session.
All the best,
David.
11-19-2011 06:42 PM
I believe that the excellent discussion of configuring AAA authentication to require user name and password fails to address one important aspect of the question about why sometimes you are asked only for a password and not the user name and password. They are assuming that the configuration of the router or switch was calling only for the line password. But I have had experiences where this clearly was not the case.
When you SSH from SecureCRT which is running on your PC my experience is that it will always need the user name in addition to the password. But if you SSH or telnet to a router and authenticate with your user name and also password, and then you SSH from the router to another router or switch you will be prompted only for the password (even though the router or switch is correctly configured to require name and password). What is happening is that in initiating the SSH session the router has supplied your user name for the new SSH session to the other router or switch and all the router or switch requires is the password. You can check it out by following this process:
- SSH or telnet to a router and authenticate with name and password.
- from that router SSH to another router. the router should prompt only for password.
- in your session on the second router issue the command show user.
- you should see that the router has your user name associated with your session (even though it did not prompt you for the user name it has learned the user name).
HTH
Rick
11-19-2011 06:55 PM
Hi Rick,
Many thanks for answering my question in detail.
in this forum i always like to read your answers to the posted questions.
your explanation is always in depth and amazing.
Best regards
Mahesh
07-13-2017 07:16 PM
I'm surprised that the refusal of everyone else to write a correct answer thank you so much for actually answering the question asked
07-14-2017 08:12 AM
You are welcome. I do not necessarily see this as people refusing to write a correct answer. The original question was about ssh and telnet from a router and from an ASA. There were a couple of correct answers about that. Then the question went in a different direction asking why sometimes an ssh from the router prompts only for password and not for ID. Some thought that it might relate to how aaa authentication was configured. I thought that it would relate to whether the device that originates the ssh request has already authenticated your ID and password. Once I posted my explanation the others did not have anything to add to it and so did not post any further responses.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: